Government agencies at the federal, state, and local levels must prepare for a future where they experience uncertainty, headcount reductions, contract cancellations, and budget cuts. This is gut-wrenchingly difficult to process, yet remaining leaders must figure out how to move forward to serve the mission.

For public sector cybersecurity leaders, this is even more paramount. The threat landscape is rapidly evolving with the onset of AI-related innovation, regulatory disruption, and job loss radicalization. This, coupled with their own major organizational and funding changes, leaves agencies vulnerable. The mission and challenge to keep systems, data, employees, and citizens secure has not changed. It is time to regroup and figure out how best to support that mission despite current obstacles.

At the same time, public-sector security leaders must demonstrate how their programs deliver value, secure vital data and systems, and help their departments demonstrate trust — efficiently and effectively — to avoid additional cuts. Yet budget and personnel constraints exacerbate the challenge to do so. Recognizing these real constraints, we’ve outlined key initiatives and strategies that public sector organizations must prioritize today to demonstrate near-term operational efficiencies and plan for long-term success.

Prioritize What You Can Control Today

The old maxim “control the controllables” applies to security leaders in these uncertain times. It is the fundamentals, communication in and outside your team, and embedding security that will serve your mission best when resources are constrained. Focus efforts on things in your sphere of control and:

  • Use Zero Trust as your anchor and justification for funding. Despite federal policy changes, Zero Trust adoption remains a government priority. Federal, state, and local agencies should continue prioritizing Zero Trust to counter rising cyber threats and streamline operations. Zero Trust offers the path of least resistance to justify current security projects and demonstrate funding needs for future capabilities. Map your current security initiatives to the Zero Trust capabilities they enable. Highlight Zero Trust as the modern, proactive approach to securing systems in the face of increased attacks and its value to reduce risk. Emphasize its alignment with existing government cybersecurity strategies and leverage federal grants (if not severely impacted) to help fund Zero Trust adoption for state and local governments. Specifically, prioritize Zero Trust initiatives that improve segmentation, streamlining access controls and increasing visibility to demonstrate quick ROI through cost avoidance and operational efficiency.
  • Augment security operations with MDR partners. As staffing becomes constrained, bolster security operations by relying on the MDR partners you already have. Your security operations staff may have to play double duty and support other cybersecurity initiatives, so having your outsourced provider do as much of the heavy lifting as possible will reduce friction. For example, many MDR providers are adding abilities for managed proactive security services, such as vulnerability prioritization and attack surface management, which their situational and reactional insights naturally augment.
  • Work with groups of similar agencies and roles. Coalitions of agencies, states, counties, and municipalities will likely provide more actionable advice today than centralized resources you may have used in years past. For example, the National Conference of State Legislatures on Artificial Intelligence, Cybersecurity and Privacy and Government AI coalition are two examples of consortiums focused on dealing with specific challenges related to current innovation, with context from people working in and alongside government entities. One example from the recent concern over MITRE and CVE funding includes the CVE Foundation, launched to decouple this critical service from its reliance on government sponsorship. Additionally, the Advanced Technology Academic Research Center’s working group on Continual Authorization to Operate (cATO) is helping government agencies reduce the notoriously high cost and effort that agencies bear to deploy and maintain compliant systems.
  • Accelerate your transition to DevSecOps. Adopting a DevSecOps approach is essential for your future success. The advantages include quicker releases with enhanced quality and security, automated documentation to meet cybersecurity mandates such as providing a software bill of materials (SBOM), enforced secure coding practices, boosted developer productivity, and faster time to fix security vulnerabilities. No matter what your current stage in the DevSecOps journey, review the DevSecOps best-practices roadmap — prepare, crawl, walk, run — to assess your current position and plan your next steps. Select metrics to monitor progress, such as the percentage of applications undergoing automated security testing or the reduction in the mean time to remediate (MTTR). Prove your value by sharing progress, successes, and lessons learned with other teams.
  • Update incident response plans to support mission continuity. Security teams can’t let incident response (IR) procedures sit idle as they navigate significant staffing and leadership changes, availability of support services, and new organizational priorities. Map key IT systems, applications, and data to specific mission services and planning to minimize disruptions during and after an incident occurs. Refine your IR plan and playbooks to adapt to abrupt changes in staff and ensure that each member of the core IR team has a bench that is at least two practitioners deep — and that those practitioners, especially those on development paths to fill key IR team roles, are provided opportunities to refine or reinforce critical IR and recovery skills. Make sure incident response capabilities are tested, documented, and tied to mission continuity plans. Maintain a regular schedule of tabletop exercises for key mission programs and services.

Pursue Strategies To Strengthen Operational Efficiency

Operational efficiency and cost savings are paramount for both the public and private sectors now. With fewer resources, efficiency is vital to execute on the mission and to mitigate human error amid all the change. Take stock of your security program and:

  • Align security and risk metrics to mission outcomes and impact. Metrics are even more essential in times of volatility. They demonstrate the historical baseline of security programs and how external circumstances such as budget, evolving threats, system/process changes, or resource constraints are improving or diminishing security program goals. While federal security teams track a variety of operational metrics, including quarterly FISMA CIO metrics, these metrics lack strategic alignment with mission outcomes and risk reduction goals. Highlight how cyber incidents can disrupt core agency functions or programs, as well as how improvements in operational performance reduce potential data loss, system downtime, and cost.
  • Embrace continuous risk management and continuous security testing. Continuous monitoring is a key differentiator between a reactive vs. proactive security program. It’s easier to pinpoint changes that could have significant impact with continuous assessment (as opposed to quarterly audits or annual penetration tests) of risks, program objectives, threats, and vulnerabilities. Prioritize continuous risk management and continuous security testing now so you can establish a defined baseline today and quickly demonstrate when frequent shifts in policy are impacting your ability to protect your organization and citizens. If you’re early in your continuous monitoring journey, don’t try to monitor everything at once; start with a few high-value controls (i.e., account management, flaw remediation, configuration settings, etc.), mission-critical systems, or priority datasets.
  • Be a champion for automation. Identify opportunities to automate repetitive security tasks where feasible (e.g., patching, incident response processes, compliance reporting, evidence collection, task management workflows, etc.). Collaborate with team members to understand core tasks and which are causing the most friction in terms of time, reliability, or effort. Document and track any cost savings or improved response times from these efforts through the appropriate metrics.

Lead Through Change

During times of uncertainty, clear, honest, and empathetic communication with your team is critical. Absent of information, fear, doubt, and uncertainty will certainly fill the vacuum, making an already stressful situation worse. If you happen to be thinking, “But I don’t know,” don’t underestimate the power and importance of relaying just that and letting your teams know you will keep them informed.

Be honest about what you do and don’t know. From a work standpoint, you don’t want your team paralyzed by a lack of direction. Keep them focused on the tasks at hand and the strategies raised in this blog. Budget and staffing cuts can damage morale and a team’s sense of psychological safety, but affirming a sense of purpose with open, honest dialogue goes a long way.

If you are a Forrester client and need help to navigate through these changes, we’d love to help. Please reach out and schedule an inquiry or guidance session.